[Pacemaker] ACL setup

Larry Brigman larry.brigman at gmail.com
Fri Jan 13 13:55:30 EST 2012 

On Thu, Jan 5, 2012 at 12:34 AM, Gao,Yan <ygao at suse.com> wrote:

> On 01/05/12 13:23, Larry Brigman wrote:
> > On Wed, Jan 4, 2012 at 8:50 PM, Gao,Yan <ygao at suse.com
> > <mailto:ygao at suse.com>> wrote:
> >
> >     > [root at sweng0096 ~]# crm configure property enable-acl=true
> >     > [root at sweng0096 ~]# crm
> >     > crm(live)#
> >     > role monitor \
> >     >>         read xpath:"/cib"
> >     > crm(live)configure#  user nvs role:monitor
> >     > crm(live)configure# user acm role:monitor
> >     > crm(live)configure# commit
> >     > crm(live)configure# exit
> >     > bye
> >     > [root at sweng0096 ~]# su - nvs
> >     > [nvs at sweng0096 ~]$ crm status
> >     >
> >     > Connection to cluster failed: connection failed
> >     What about:
> >     # id nvs
> >     # ls -ld /var/run/crm
> >     # ls -l /var/run/crm
> >
> >  [root at myname run]# id nvs
> > uid=500(nvs) gid=500(nvs) groups=500(nvs),3(sys)
> Any user who wants to access cib should belong to "haclient" group.
> That's the prerequisite.
>
> >  [root at myname ~]# cd /var/run/crm
> > [root at myname crm]# ls
> > attrd  cib_callback  cib_ro  cib_rw  crmd  pengine  st_callback
>  st_command
> > [root at myname crm]# cd ..
> > [root at myname run]# ls -ld crm
> > drwxr-x--- 2 hacluster haclient 200 Jan  4 10:31 crm
> > [root at myname run]# ls -l crm
> > total 0
> > srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 attrd
> > srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_callback
> > srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_ro
> > srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 cib_rw
> > srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 crmd
> > srwxrwxrwx 1 hacluster root 0 Jan  4 10:31 pengine
> > srwxrwxrwx 1 root      root 0 Jan  4 10:31 st_callback
> > srwxrwxrwx 1 root      root 0 Jan  4 10:31 st_command
> >
> > If I change the crm directory permissions from 750 to 755 then
> > things work.  Should that be needed?
> No. 750 is expected.
>
> >
> > Looking at the spec file I find the following:
> > %dir %attr (750, %{uname}, %{gname}) %{_var}/run/crm
> >
> > Adding the user to the haclient group works but then the user has
> > full write access which isn't what is wanted.
> It seems that either the running cib is not built "--with-acl" or acl is
> not enabled with "crm configure enable-acl=true". Either of them is not
> satisfied, the regular user gets full access.
>


The last piece, last time was that the users were not in the haclient group.

I now have all of that automated during our install but the users are still
getting
an error for access for a time after this is configured, then it starts
working.
We don't have any exiting changes going into the cib.  The only thing that
I did
that might have caused this to start working but it wasn't a write:
cibadmin --query
After that command things seem to work for a role based user with read only
access.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20120113/07b402f8/attachment-0003.html>

More information about the Pacemaker mailing list